Unanswered

Adding user to an Power Platform Environment using Powershell and assigning a Custom Security Role

(1) Share

Report

Posted on by CU14021127-0

I need to add a user to the power platform environment using Powershell and assigning a Custom Security Role.

I was trying to use Set-AdminPowerAppEnvironmentRoleAssignment Command to do that but i found out that we can only assign Environment Maker and Environment Admin.

I don't want to create a security group and assign the user to that. Any help would be greatly appreciated.

Categories:

General topics

I have the same question (0)

All responses (2)

Answers (0)

Suggested answer

Christ0f 147 on at

Like (0)

Report

You can use the follow Powershell module

PowerShell Gallery | Microsoft.Xrm.Data.Powershell 2.8.21

to creata a contact from a Entra ID user and assign custom security roles in the dataverse to a contact without security groups.

You need system administrator permissions in the dataverse and your script would look something like:

#Please test this code first in a developer environment!

# Import the module and connect to your Dataverse environment.
Import-Module Microsoft.Xrm.Data.PowerShell
$connection = Connect-CrmOnline -Interactive

# Define the Entra ID user's email (or another unique identifier).
$email = "john.doe@company.com"

# Query the AADUser virtual table for the Entra ID user.
# (Remember: the AADUser table is read‑only and contains details from your Entra ID.)
$aadUser = Get-CrmRecords -EntityLogicalName "aaduser" `
-FilterAttribute "emailaddress" -FilterOperator "eq" -FilterValue $email

if ($aadUser.CrmRecords.Count -eq 0) {
Write-Output "Entra ID user not found."
return
}

# Map the AADUser fields to Contact fields.
# (Adjust field names as necessary for your environment.)
$contactFields = @{
firstname = $aadUser.CrmRecords[0].firstname
lastname = $aadUser.CrmRecords[0].lastname
emailaddress1 = $aadUser.CrmRecords[0].emailaddress
// Add other mappings as needed.
}

# Create the Contact record.
$newContact = New-CrmRecord -EntityLogicalName "contact" -Fields $contactFields
Write-Output "Created Contact with ID: $($newContact.Id)"

# --------------------------------------------------------------
# If your process enables this Contact as a portal user, a corresponding System User record will be created.
# You can then assign a custom security role to that System User.
# --------------------------------------------------------------

# Retrieve the associated System User record based on the Contact.
# (This example assumes the systemuser record has a lookup to the contact via 'contactid'.)
$systemUser = Get-CrmRecords -EntityLogicalName "systemuser" `
-FilterAttribute "contactid" -FilterOperator "eq" -FilterValue $newContact.Id

if ($systemUser.CrmRecords.Count -eq 0) {
Write-Output "No associated system user found. Ensure the contact is enabled as a portal user."
} else {
# Retrieve your custom security role. Replace "Custom Role" with your role's name.
$roleName = "Custom Role"
$role = Get-CrmRecords -EntityLogicalName "role" `
-FilterAttribute "name" -FilterOperator "eq" -FilterValue $roleName

if ($role.CrmRecords.Count -eq 0) {
Write-Output "Custom security role '$roleName' not found."
} else {
# Assign the role to the system user.
$systemUserId = $systemUser.CrmRecords[0].systemuserid
$roleId = $role.CrmRecords[0].roleid

# Use the relationship name for system user roles; by default it's often "systemuserroles_association".
Add-CrmRecordAssociation -EntityLogicalName "systemuser" `
-RecordId $systemUserId `
-Relationship "systemuserroles_association" `
-RelatedEntityLogicalName "role" `
-RelatedRecordId $roleId

Write-Output "Assigned security role '$roleName' to system user with ID: $systemUserId"
}
}

Was this reply helpful? Yes No
Suggested answer

Sean McNellis 4 on at

Like (0)

Report

I believe @Christ0f's answer is directed at creating contacts in dataverse from existing user records, reading your question I believe you're asking how to assign a role to existing users in dataverse (as you do not have it security group restricted, all the users should be in dataverse already). If you already have a user in dataverse and just need to assign the role, I know of two methods to accomplish this:

1. You can use Xrm Data Powershell as @Christ0f mentioned, however you'll want to use the cmdlet Add-CrmSecurityRoleToUser. You connect to the online environment following the documentation and then you can execute the cmdlet using the users information and the roleid or information you want to assign.

2. You should also be able to use Microsoft.PowerPlatform.UserManagement.Powershell - https://github.com/microsoft/PowerApps-Samples/blob/master/powershell/UserManagement/Microsoft.PowerPlatform.Administration.UserManagement/README.md#add-role-assignments-for-a-given-list-of-users by using the Add-RoleToUsers cmdlet

Was this reply helpful? Yes No